Semi-device-independent security of one-way quantum key distribution 
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By testing nonlocality, the security of entanglement-based quantum key distribution (QKD) can be enhanced 
to being 'device-independent'. Here we ask whether such a strong fomi of security could also be established 
for one-way (prepare and measure) QKD. While fully device-independent security is impossible, we show that 
security can be guaranteed against individual attacks in a semi-device-independent scenario. In the latter, the 
devices used by the trusted parties are non-characterized, but the dimensionality of the quantum systems used 
in the protocol is assumed to be bounded. Our security proof relies on the analogies between one-way QKD, 
dimension witnesses and random-access codes. 

PACS numbers: 



The aim of quantum cryptography f]^ is to warrant security 
against an eavesdropper solely limited by the laws of quantum 
mechanics. However, any quantum key distribution (QKD) 
scheme relies on an additional assumption which concerns in- 
formation leakage out of the laboratories of Alice and Bob. 
Specifically, both parties must be free to choose which mea- 
surement they perform in each run of the protocol, and this 
choice of measurement, as well as the outcome of this mea- 
surement, should remain unknown to the eavesdropper In- 
deed if the eavesdropper has access to the lab of Alice or Bob, 
then security cannot be guaranteed. 

Apart from these basic requirements, standard security 
proofs of QKD 0] also assume that Alice and Bob have an ex- 
cellent control on the quantum states and measurements used 
in the protocol. This assumption is however hard to justify in 
practice, where devices always feature some level of imper- 
fection. Moreover this assumption turns out to be crucial, as 
nicely illustrated in Ref. f^. There it was shown that the se- 
curity of the Bennett-Brassard (BB84) protocol is entirely 
compromised if Alice and Bob use 4-dimensional states in- 
stead of qubits — as usual security proofs always assume. It 
is however possible to avoid this requirement by basing the 
security on nonlocality. Specifically, by checking for the vi- 
olation of a Bell inequality [53, Alice and Bob can ensure 
that they share nonlocal correlations, in which case security 
can be guaranteed without having any detailed knowledge on 
the functioning of the cryptographical devicesH ItJ- This is 
'device-independent' (DI) QKD d (see also M)- 

The promise of a higher level of security, as well as the 
recently demonstrated attacks on actual QKD systems ifioll . 
have motivated research towards the practical implementation 
of DI-QKD. Despite recent progress lITl]] . this remains a chal- 
lenging problem. Moreover, the fact that DI-QKD is based 
on nonlocality strongly suggests that only entanglement based 
protocols are suitable for obtaining this stronger notion of se- 
curity. However, almost none of the practical QKD systems, 
in particular none of the commercially available ones, use en- 
tanglement; they all operate in a one-way configuration, in 
which Alice prepares a quantum state, sends it to Bob who 
then performs a measurement on it (hence often called 'pre- 
pare and measure'). 



Here we will argue that a form of DI security — thus 
stronger than usual security proofs — can nevertheless be ob- 
tained for QKD protocols which do not make use of en- 
tanglement. Specifically, we shall see that in a semi- 
device-independent scenario, in which the devices are non- 
characterized but only assumed to produce quantum systems 
of a given dimension, security of one-way QKD against in- 
dividual attacks can be demonstrated. In particular our proof 
will make use of the analogy between one-way QKD proto- 
cols, dimension witnesses 11211 and random-access codes ifisll . 
To the best of our knowledge, our work represents the first 
QKD security proof that can be applied directly to the one- 
way configuration. 

We shall start by presenting the semi-DI scenario we con- 
sider, stating clearly all assumptions we make. Then, we will 
consider the BB84 protocol and show that it becomes com- 
pletely insecure in this context. This will also make clear 
that dimension witnesses are suitable tools for tackling this 
problem. Next we will discuss the intimate relation existing 
between dimension witnesses and random-access codes ifTill . 
Finally we will describe a specific QKD protocol and derive, 
via its associated dimension witness (or random-access code), 
a security proof. 



I. PRELIMINARIES 

In a one-way QKD scheme Alice encodes classical infor- 
mation in a quantum system, which she sends to Bob via a 
quantum channel. Bob then performs a measurement on the 
system, from which he decodes some information. After re- 
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FIG. 1: Semi-device-independent one-way QKD. 
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peating these operations many times, Alice and Bob estimate 
the error rate (by reveahng randomly chosen bits from the raw 
key) which leads to an upper bound on Eve's information. Fi- 
nally Alice and Bob perform classical post-processing — error- 
correction, privacy amplification — to extract the sifted key on 
which Eve has arbitrarily small information. 

Here we shall work in a semi-DI scenario. That is, we 
will assume that the (relevant) Hilbert space dimension of the 
quantum systems is known 1I21I1 . but that the quantum prepara- 
tions and measurements are non-characterized. It will thus be 
convenient to describe the devices of Alice and Bob by black 
boxes. Specifically Alice's black box is a 'state preparator'. 
Alice has the freedom to choose among a certain set of prepa- 
rations Pa G with a e {0, .., N — 1}, but knows nothing 
about these quantum states apart from their dimensionality d. 
We also assume that Alice's preparations pa are unentangled 
from Eve — note that if Alice's preparations were entangled 
with Eve's system, then the communication capacity would 
be effectively doubled using dense coding. Bob's device is 
a measurement black-box. He can choose to perform a mea- 
surement My with y £ {0, m — 1} and gets the outcome 
b e {0,...,fc — 1}. The measurement operators My are non- 
characterized; note that Eve could in principle send a system 
of arbitrary dimension to Bob. The boxes may also feature 
shared classical variables A, known to Eve, but uncorrected 
from the choice of preparation made by Alice and the choice 
of measurement made by Bob. 

After repeating this procedure many times, Alice and Bob 
can estimate the probability distribution (or data table 01511 ) 

P{b\a,y)^tr{paM'y), (1) 

which denotes the probability of Bob finding outcome b when 
he performed measurement My, and Alice prepared pa- Our 
goal will be to show that, in some cases, the security of a 
given protocol against a quantum eavesdropper can be guar- 
anteed solely from its associated data table P{b\a,y). The 
security is thus semi-DI, in the sense that we do not require 
any knowledge on how the data table P{b\a, y) was obtained, 
except from the fact that the device of Alice emits quantum 
systems of a given dimension. 

Here we will restrict ourselves to individual attacks, in 
which Eve attacks independently each system sent by Alice 
(using the same strategy) and measures her system before the 
classical post-processing 1 1]. Indeed we also need to make the 
basic assumption about information leakage from the devices. 
That is, no information about the inputs and output (i.e. a, y 
and b) leaks out of the boxes to Eve. 

II. DIMENSION WITNESSES 

At this point one can already see a first requirement for ob- 
taining semi-DI security for a given protocol. Suppose Al- 
ice's device prepares d-dimensional quantum systems. Then it 
must be impossible to reproduce the quantum data table with 
classical systems of dimension d. If not, then it could have 
been the case that Alice's device emits orthogonal quantum 
states (or equivalently classical states) from which Eve can 



get full information. Thus, full DI security, that is where no 
assumption is made on the Hilbert space dimension, is impos- 
sible, since every data table can be reproduced using classical 
systems of sufficient dimension. 

It turns out that a simple method for establishing lower 
bounds on the dimension of classical systems necessary to 
reproduce a given data table was recently developed in Ref. 
III2I1 . More precisely, they authors devised 'dimension wit- 
nesses', of the form 

Y,WabyP{b\a,y) <Cd, (2) 

a,y,b 

which can be thought of as Bell-type inequalities for data 
tables. Here the bound Cd denotes the maximal value of 
the left-hand-side polynomial obtainable when Alice's de- 
vice prepares classical d-dimensional systems. Interestingly, 
d-dimensional classical dimension witnesses can be violated 
by d-dimensional quantum systems, thus indicating that cer- 
tain quantum data tables cannot be reproduced using classical 
states of the same dimension. Below we will make use of this 
'quantum advantage'. We will consider a simple dimension 
witness which provides a separation between qubits and bits. 
In particular we will show how this witness can be naturally 
understood as a random-access code, which will allow us to 
prove semi-DI security of the corresponding QKD protocol. 

From now we will now focus on the case where Alice's de- 
vice prepares 2-dimensional quantum systems, and restrict to 
four preparations (N = 4) indexed by two bits aq, ai. Bob's 
device can perform two binary measurements {m = 2,k ~ 2). 
For the rest of the paper it will be convenient to use expecta- 
tion values of the form 

Eaoai,y ^ P{b^O\aoai,y). (3) 

Thus every experiment corresponds to a data table, given by a 
vector E {Eaoat.y)aoat.y of Nui = 8 Correlators. 

First, we would like to characterize the set of data tables 
(i.e. the set of vectors E) which can be obtained when Alice's 
box emits classical bits. We follow the geometrical methods 
of Ref. llT2ll . The set of interest to us is a poly tope (in an 8- 
dimensional space). Its facets are (tight) 2-dimensional clas- 
sical witnesses; that is inequalities of the form (|2]i with d ~ 2 
(note that here probabilities are simply replaced by correla- 
tors). It turns out that there are only two types of witnesses in 
the case. The first is a straightforward extension [I22I of the 
witness I3 of Ref. lfl2ll . The second is of the following form: 

S = +EQOfi + Eq(ii + Eoifi — Eqi^i 

—Eiofi + i?io,i — Eiifi — < 2 (4) 

This witness will be our main tool to assess the security of 
one-way QKD protocols. 

BB84 is not secure. As a warm-up, it is instructive to con- 
sider first the case of the BB84 protocol. In this case, the four 
preparations of Alice are given by 

poo = |0)(0| , pii = |l>(l| 

Pio = |+)(+| , Poi = |->(-|. (5) 
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Here |0) and |1) are the eigenstates of the Pauli matrix cr-, 
and |±) = (|0) ± |l))/-\/2 are the eigenstates of (Tx- The two 
measurements of Bob are given by Mq ~ and AIi = cr^. 

Thus the corresponding data table is given by -Eoo.o ~ 
tr(pooo'r) = 1, and similarly i?io,i = 1, i?oi,i = -^n^o = 0, 
and Eons = E^ifl = -Bio,o = = 1/2.' Thus the BB84 

data table achieves 5 = 2 and thus does not violate the wit- 
ness (HJi — note that it also satisfies the witness I-^ of |12j| as 
well as all symmetries — which indicates that it can be repro- 
duced by sending one classical bit when the boxes of Alice 
and Bob share randomness. Note that this a peculiarity of the 
BB84 data table ll23ll . Indeed this result also applies to any 
protocol using the same states and measurements as BB84, 
for instance the SARG protocol lfl6ll . 

A possible strategy is the following. Alice and Bob share 
one random bit A. Considering Alice's preparations, note that 
the bit oq ® fli denotes the basis, while the bit ai denotes 
the encoded bit. When A = 0, Alice sends to Bob the (one 
bit) message m = oq. Bob, upon getting his input y and 
the message from Alice m, outputs b^mQy^aoQy- 
Thus 6 = fli whenever Alice and Bob choose the same basis 
(oo © ai = y), and b ^ ai when they choose a different basis 
(ao®ai ^ y). When A = 1, Alice sends the message m = ai, 
and Bob outputs b = m = ai. Thus we have that ai = 6 for 
any pair of basis oq ffi ai, y. Since the shared variable A is 
unbiased, Alice and Bob reproduce the BB84 data table. 



III. CONNECTION TO RANDOM-ACCESS CODES 

To devise a secure QKD protocol in the semi-DI setup, we 
need to consider data tables which violate (at least) one of the 
dimension witness or S. Here we shall focus on the latter, 
which it will be useful to think of in terms of a random-access 
code. 

Specifically, let us imagine that Alice receives two (uni- 
formly distributed) bits gq and oi. She is then allowed to send 
a physical system to Bob, which encodes information about 
her input bit string. Bob is asked to guess the y-th bit of Al- 
ice {y is uniformly distributed as well), and thus performs a 
measurement on the system he received from Alice to extract 
this information. This is a 2-to-l random-access code. When 
Alice sends one bit of classical communication, the optimal 
average probabiUty for Bob to succeed is 3/4 [;13]. 

The witness S ^ represents a 2-to-l random-access code. 
For each of her four possible input bit strings {uq, ai}, Alice 
associates a preparation Pagai- Upon being asked to guess 
bit y. Bob performs measurement My. The outcome of the 
measurement b is then his guess for Uy. 

From inspection of S, we see that Waoai,y = (— 1)"" 
(where Waoai,y is the coefficient of the term Ea„ai.y), which 
implies that 

S= Pib = ay\aoai,y)-A (6) 



Thus, for a given data table, Bob's success probability 

Pb^^YI ^(^ = «yl«oai,2/) = ^^-^ (7) 

ao,cii,y 

is determined by the value of the dimension witness S, and 
inversely. Indeed the inequality Pb < 3/4 corresponds to 
5 < 2. Note that the relation between dimension witnesses 
and random-access codes can be generalized (see also lfl4ll 
for a related approach). 

It turns out that Alice and Bob can perform better at this 
task when using qubits. The optimal set of preparations 
are, for instance, obtained by having preparations (|5), but 
changing Bob's measurements to Mq = {(Jz + (Tx)/V^ and 
Ml ~ {az — ax )/V2. This choice of preparations and mea- 
surements leads to 5' = 8 cos^ (tt/S) — 4 or equivalently 

Pb = cos^ (tt/S) « 0.8536. (8) 

Note that this set of preparations and measurements is inti- 
mately related to the Clauser-Home-Shimony-Holt Bell in- 
equality (see also lITill ). 

IV. SECURITY OF ONE-WAY QKD 

The protocol is based on the preparations and measure- 
ments achieving the optimal violation of S for qubits. Alice 
generates two random bits ao,ai and sends the correspond- 
ing preparations pagai to Bob. Bob generates a random bit y 
and performs measurement My and guesses bit ay. After re- 
peating these operations a large number of times (we consider 
here only the asymptotic limit), Alice and Bob can estimate 
the data table by revealing part of their data on a public chan- 
nel. By computing the value of S they obtain Pg. Below we 

show that if Pb > ''^/^ « 0.8415 — a value slightly lower 
than the optimal value using qubi ts ^ — security is obtained. 

Proof. Csiszar and Korner lUSll showed that Alice and Bob 
can obtain a secret key if I{A : B) > I{A : E), where the 
mutual information is given by 

I{A:X)^Y.^-h(PxM). (9) 

3 

Here yj denotes the choice of basis (or equivalently which bit 
of Alice party X chose to guess) in the j-th run of the protocol, 
and h{p) is the Shannon binary entropy. From this, one can 
get a sufficient condition for security given by 

Pb > Pe (10) 

where Px = \ [Px (oo ) + Px (^i ) ) denotes the average prob- 
ability of guessing correctly for party X. 

Our main ingredient will be a result derived by Konig UtIi . 
Consider the set F„ of all (boolean) balanced functions on 
n-b\t strings — that is which return for exactly half of the 
2" strings. Alice gets as input the n-bit string and Bob is 
asked to guess the value of a randomly (and uniformly) chosen 
function in F„ after receiving from Alice s qubits. Then the 
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average probability for Bob to succeed is upper bounded as 
follows 

^"<^(l + /|-i)- (11) 

For the case of interest to us, i.e. n = 2 bits, the set of all 
balanced functions is ao, ai, gq © oi, and their negations. 
Clearly the optimal probability of guessing a function or its 
negation are equal. Thus, when Alice sends a single qubit to 
Bob (s = 1), we have that 

PB(ao) + Ps(ai) + Psiao ® ai) < ^ (^1 + . (12) 

Clearly the previous inequaUty holds also when Bob and 
Eve collaborate — the index B is then simply replaced by 
BE — and we will make use of it in this case. Using the rela- 
tions PsEiai) > Psiai) and PsEiai) > Psiaz) and 

PsEiao^ai) > PBE{aa,ai) 

> PsEiao) + PBEiai) - I, (13) 

where the second inequaUty follows from the sum rule, we get 

PsEiao) + PsEiai) + PsEiao ® ai) 

>2PB(ao) + 2P£(ai)-l. (14) 

Using ( fT2b we get that 

PB{ao) + PEiai)<^^^ (15) 

and an analogous inequality with ao and ai interchanged. 
This shows that when Eve tries to guess a different bit than 
Bob (i.e. she measures in the wrong basis) she will necessar- 
ily disturb the statistics of Bob. From inequality (flSl l and its 
symmetry with respect to ao and ai, we get that 

Pb+Pe<^-^. (16) 
This implies that Pg > Pe as long as 

> « 0.8415 (17) 



as announced. For the optimal qubit preparations and mea- 
surements achieving ([8]l, the key rate is found to be 

r = I{A: B)- I{A: E) ^0.0581. (18) 



V. DISCUSSION 

We have discussed the security of one-way QKD in a semi- 
device-independent context. By making links to dimension 
witnesses and random-access codes, we showed that security 
against individual attacks is possible. 

It is natural to ask whether this concept is relevant from 
a practical viewpoint. Since semi-DI QKD represents a re- 
laxation of the assumption of standard QKD proofs, it offers 
several advantages, notably that no assumptions on the de- 
vices are required (apart from the fact that Alice's device emits 
preparations of bounded dimension), and that it can be applied 
directly to the one-way configuration. At this stage, our result 
should however be understood as a proof-of -principle. A next 
step would be to study robustness to imperfections (such as 
losses or detection efficiency) as well as against more gen- 
eral attacks. It would also be interesting to improve on our 
bound for security (which is likely to be suboptimal), and to 
see whether all data tables violating a classical dimension wit- 
ness could offer security. In this context it might also be rele- 
vant to consider entropic quantities 1IT4IIT9I1 . 

A comparison to full DI QKD is also worth. Arguably the 
main drawback of our approach is the assumption of bounded 
dimensionality, as it forces us to assume that Alice's device 
features no side-channels from which Eve could extract in- 
formation. This requirement could however be partly lifted 
by finding protocols where qubits offer security under the as- 
sumption that the preparations are arbitrary quantum states of 
higher dimensions — note that this would require protocols us- 
ing more preparations. 

Finally, from a more foundational point of view, it would 
be interesting to study the connection between semi-DI one- 
way QKD and DI entanglement-based QKD, in the light of the 
strong link that exists between nonlocality and random-access 
codes 1I20I1 . 
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